From 8387b85456cfd5e10fb24d9e618358eb141e7e6f Mon Sep 17 00:00:00 2001 From: kyleecodes Date: Mon, 3 Jun 2024 18:44:24 -0400 Subject: [PATCH 1/2] Actions: Config dependabot on PRs, Actions, Devcontainers --- .github/dependabot.yml | 26 ++++++++++++++----- ...ssues.yml => dependabot-create-issues.yml} | 9 ++++--- .github/workflows/dependabot-pr-review.yml | 22 ++++++++++++++++ 3 files changed, 48 insertions(+), 9 deletions(-) rename .github/workflows/{create-dependabot-issues.yml => dependabot-create-issues.yml} (87%) create mode 100644 .github/workflows/dependabot-pr-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9a2b48cf..920cba0f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,5 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +# This file contains the configs for dependabot. +# See for more info: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file version: 2 updates: @@ -11,5 +9,21 @@ updates: interval: "weekly" time: "09:00" timezone: "Europe/London" - target-branch: "develop" - + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + # Workflow files stored in the default location of `.github/workflows`. + # (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) + directory: "/" + schedule: + interval: "weekly" + time: "09:00" + timezone: "Europe/London" + + # Maintain dependencies for dev containers + - package-ecosystem: "devcontainers" + directory: "/" + schedule: + interval: "weekly" + time: "09:00" + timezone: "Europe/London" diff --git a/.github/workflows/create-dependabot-issues.yml b/.github/workflows/dependabot-create-issues.yml similarity index 87% rename from .github/workflows/create-dependabot-issues.yml rename to .github/workflows/dependabot-create-issues.yml index 3c81e59e..1af6c80a 100644 --- a/.github/workflows/create-dependabot-issues.yml +++ b/.github/workflows/dependabot-create-issues.yml @@ -1,3 +1,6 @@ +# This workflow opens issues for pull requests opened by dependabot. +# See for more info: https://github.com/actions/dependency-review-action + name: Create Dependabot Issues # from pull requests on: @@ -10,12 +13,12 @@ jobs: runs-on: ubuntu-latest permissions: issues: write - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: - name: Create issue uses: actions-cool/issues-helper@v3 with: - actions: 'create-issue' + actions: "create-issue" token: ${{ secrets.GITHUB_TOKEN }} title: ${{ github.event.pull_request.title }} body: | @@ -28,4 +31,4 @@ jobs: ### Resources GitHub Docs - Reviewing Pull Requests with Dependency Updates: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request - labels: 'dependencies' + labels: "dependencies" diff --git a/.github/workflows/dependabot-pr-review.yml b/.github/workflows/dependabot-pr-review.yml new file mode 100644 index 00000000..6acb24f7 --- /dev/null +++ b/.github/workflows/dependabot-pr-review.yml @@ -0,0 +1,22 @@ +# This workflow enables dependency scans on pull requests. +# When changes in dependencies are detected, it will raise an error +# if any vulnerabilities or invalid licenses are introduced. +# See for more info: https://github.com/actions/dependency-review-action + +name: "Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: "Checkout Repository" + uses: actions/checkout@v4 + - name: "Dependency Review" + uses: actions/dependency-review-action@v4 + with: + # fails when moderate vulnerabilities are deteched + fail-on-severity: moderate From b914bbb803d993ae59e8ce98d58e28b4c5a3dd26 Mon Sep 17 00:00:00 2001 From: kyleecodes Date: Thu, 6 Jun 2024 20:37:47 -0400 Subject: [PATCH 2/2] Workflow updates --- .../workflows/dependabot-create-issues.yml | 34 ---------------- .github/workflows/dependabot-open-issues.yml | 39 +++++++++++++++++++ 2 files changed, 39 insertions(+), 34 deletions(-) delete mode 100644 .github/workflows/dependabot-create-issues.yml create mode 100644 .github/workflows/dependabot-open-issues.yml diff --git a/.github/workflows/dependabot-create-issues.yml b/.github/workflows/dependabot-create-issues.yml deleted file mode 100644 index 1af6c80a..00000000 --- a/.github/workflows/dependabot-create-issues.yml +++ /dev/null @@ -1,34 +0,0 @@ -# This workflow opens issues for pull requests opened by dependabot. -# See for more info: https://github.com/actions/dependency-review-action - -name: Create Dependabot Issues # from pull requests - -on: - pull_request: - types: [opened] - branches: [develop] - -jobs: - create-issue: - runs-on: ubuntu-latest - permissions: - issues: write - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - steps: - - name: Create issue - uses: actions-cool/issues-helper@v3 - with: - actions: "create-issue" - token: ${{ secrets.GITHUB_TOKEN }} - title: ${{ github.event.pull_request.title }} - body: | - ### Dependabot opened a pull request to update a dependency. Please review it: ${{ github.event.pull_request.html_url }} - - [ ] Comment on this issue tagging Chayn staff (@kyleecodes) to be assigned as a reviewer on the PR. - - [ ] Review the pull request. See GitHub Docs below for guidance. Check the files changed, dependency review, and workflow test runs. - - [ ] Verify tests and happy paths are functional by cloning the dependabot branch and running locally. - - [ ] If pull request does not pass tests, suggest changes or write comments in the review. - - [ ] When tests pass, approve changes to complete the review, then notify us in issue discussions so we can get this merged. - - ### Resources - GitHub Docs - Reviewing Pull Requests with Dependency Updates: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request - labels: "dependencies" diff --git a/.github/workflows/dependabot-open-issues.yml b/.github/workflows/dependabot-open-issues.yml new file mode 100644 index 00000000..093d40e4 --- /dev/null +++ b/.github/workflows/dependabot-open-issues.yml @@ -0,0 +1,39 @@ +# This workflow opens issues for pull requests opened by dependabot. +# See for more info: https://github.com/actions/dependency-review-action + +name: Open Dependabot Issues # from pull requests + +on: + pull_request: + types: [opened] + branches: [develop] + +jobs: + create-issue: + runs-on: ubuntu-latest + permissions: + issues: write + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + steps: + - name: Create issue + uses: actions-cool/issues-helper@v3 + with: + actions: "create-issue" + token: ${{ secrets.GITHUB_TOKEN }} + title: ${{ github.event.pull_request.title }} + body: | + ### Dependabot opened a pull request to update a dependency. Please review it: ${{ github.event.pull_request.html_url }} + - [ ] Comment on this issue tagging Chayn staff (@kyleecodes) to be assigned this issue. + - [ ] If you are a Chayn volunteer, we will assign you as a reviewer to the PR after you've accepted an invite to join this repo as a collaborator. + - [ ] Review the pull request. Check dependency files (such as package.json) to verify that the dependency has not already been updated. + - [ ] See GitHub Docs below for guidance. Check the files changed, dependency review, and workflow test runs. + - [ ] Upgrade the dependency. Please research it instead of simply updating the version numbers, as some upgrades may require code changes. + - [ ] Verify tests and happy paths are functional by cloning the dependabot branch and running locally. + - [ ] Next, complete the pull request review if you a volunteer, or notify us in issue discussions that you are done reviewing the PR. + - If the dependency upgrade does not pass tests or breaks the app, notify us in issue discussions, or in the pull request review if you're a volunteer. You may work on the required code changes or finish the review as is. + - If the dependency upgrade passes tests without breaking the app, notify us in the issue discussions, or approve the pull request if you are a volunteer. Then we'll get the PR merged! + + ### Resources + - GitHub Docs - Reviewing Pull Requests with Dependency Updates: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request + - GitHub Docs - Reviewing Pull Requests: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request + labels: "dependencies"